I have created a delim operator as follows:
| makemv delim="," TONE
which returns the following values in the TONE field:
0.86767895878525
3.25379609544469
2.38611713665944
5.63991323210412
24.7288503253796
0.867678958785249
I would like to to separate each of these values into new fields at the time of search:
Tone
Positive Score
Negative Score
Polarity
Activity Reference Density
Reference Density
Is this possible?
Assuming the makemv
command is returing data in the right format into a field named tone
, to extract each value use the following command
..| eval gkg_Tone1=mvindex(tone, 0) | eval gkg_Pos_Score=mvindex(tone, 1)
ad so on for rest of the fields. This assumes the order in which the 6 data point are arranged is always the same.
The mvindex function will let you select individual elements in a multivalued field : http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Commonevalfunctions
Thanks Dart,
How do I structure the command:
I want to take each of these values in a field named gkg_TONE (there are always 6 values comma separated):
0, 3.25379609544469, 2.38611713665944, 0, 24.7288503253796, 0.867678958785249
With these values I would like to create these fields:
gkg_TONE1="0"
gkg_Pos_Score="3.25379609544469"
gkg_Neg_Score="2.38611713665944"
gkg_Polarity="0"
gkg_Ativity_Ref="24.7288503253796"
gkg_Ref_Dens="0.867678958785249"
I have tried this:
| eval n=mvindex (gkg_TONE, gkg_TONE1, gkg_Pos_Score, gkg_Neg_Score, gkg_Polarity, gkg_Ativity_Ref, gkg_Ref_Dens)
but get:
"Error in 'eval' command: The arguments to the 'mvindex' function are invalid."
Please can you help.
Thanks,
Jonathan